SPF, DKIM, DMARC Setup for Cold Email: Step-by-Step Guide
If you're sending cold email without SPF, DKIM, and DMARC configured, you're flying without a parachute. In 2024, Google and Microsoft made these authentication records mandatory for bulk senders. In 2026, they're a requirement for reliable inbox delivery — for any volume.
This guide explains what each record does, how to set them up for your cold email sending domain, how to verify everything is working, and what to do when something breaks.
Why Email Authentication Is Non-Negotiable
Email authentication records tell receiving mail servers two critical things:
- This email actually came from who it claims to be from (not a spoofed address)
- This email hasn't been tampered with in transit (the content is intact)
Without these records, Gmail, Outlook, and other providers don't know whether your email is legitimate. Their default response to uncertainty is to send emails to spam or reject them entirely.
Getting all three records right is the single highest-leverage technical action you can take for cold email deliverability. It won't fix a burned domain, but it's the foundation everything else is built on.
What Each Record Does
SPF — Sender Policy Framework
SPF is a DNS TXT record that specifies which mail servers are authorized to send email on behalf of your domain. It prevents anyone from sending email that claims to be from your domain unless they're using an authorized server.
When a receiving server gets an email from you, it checks your domain's SPF record to verify the sending server is on your approved list. If it's not, the email fails SPF.
DKIM — DomainKeys Identified Mail
DKIM adds a cryptographic signature to every email you send. The signature is generated using a private key on your sending server and verified using a public key published in your DNS records.
This proves two things: the email came from a server with access to your private key, and the email content hasn't been modified since it was signed. Even if someone intercepts and alters an email in transit, the DKIM signature will fail.
DMARC — Domain-based Message Authentication
DMARC builds on SPF and DKIM. It tells receiving servers what to do when an email fails SPF or DKIM checks, and gives you reporting on how your domain's emails are being handled.
DMARC policies:
- none: Monitor only, no action taken. Used for initial testing.
- quarantine: Emails that fail go to spam instead of inbox.
- reject: Emails that fail are rejected entirely.
Step 1: Set Up SPF
SPF is a TXT record added to your domain's DNS settings.
Where to Add It
Log into your domain registrar or DNS provider (GoDaddy, Cloudflare, Namecheap, Google Domains, etc.). Go to DNS management and add a TXT record.
SPF Record Format
Your SPF record lists all the services authorized to send email from your domain. A basic SPF record for Google Workspace looks like this:
Record Type: TXT Host/Name: @ (or your domain) Value: v=spf1 include:_spf.google.com ~all For multiple sending services: v=spf1 include:_spf.google.com include:sendgrid.net ~all Key elements: v=spf1 — SPF version (always v=spf1) include: — authorizes that service's servers ~all — soft fail (recommended for cold email) -all — hard fail (more strict, use after testing)
Common includes by email provider
| Email Provider | SPF Include |
|---|---|
| Google Workspace | include:_spf.google.com |
| Microsoft 365 | include:spf.protection.outlook.com |
| Instantly | include:spf.instantly.ai (check their docs) |
| Smartlead | include:spf.smartlead.ai (check their docs) |
| SendGrid | include:sendgrid.net |
Important: You can only have one SPF record per domain. If you have multiple services, combine them in one record. Having two SPF records breaks SPF.
Step 2: Set Up DKIM
DKIM setup requires generating a key pair through your email provider and adding the public key to your DNS.
Setting Up DKIM for Google Workspace
- Go to Google Admin Console → Apps → Google Workspace → Gmail → Authenticate Email
- Click "Generate New Record" for your domain
- Copy the DKIM TXT record value Google gives you
- Add it to your DNS:
- Type: TXT
- Host: google._domainkey.yourdomain.com
- Value: [paste the value from Google]
- Wait for DNS propagation (up to 48 hours, usually under 1 hour)
- Return to Google Admin and click "Start Authentication"
Setting Up DKIM for Microsoft 365
- Go to Microsoft Defender portal → Email & Collaboration → Policies & Rules → Threat Policies
- Select DKIM → your domain → Enable
- Microsoft will show you two CNAME records to add to your DNS
- Add both CNAME records to your domain's DNS
- Once DNS propagates, Microsoft will activate DKIM automatically
Type: TXT (for Google Workspace) Host: google._domainkey.yourdomain.com Value: v=DKIM1; k=rsa; p=[long public key string] Type: CNAME (for Microsoft 365) Host: selector1._domainkey.yourdomain.com Value: selector1-yourdomain-com._domainkey.yourtenantname.onmicrosoft.com
Step 3: Set Up DMARC
DMARC is another TXT record added to your DNS. Start with a monitoring-only policy (p=none) to collect data before enforcing.
DMARC Record Examples
Type: TXT Host: _dmarc.yourdomain.com Value (start here): v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com After reviewing reports, move to quarantine: v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@yourdomain.com Eventually, full enforcement: v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com Parameters: p=none/quarantine/reject — policy for failed emails pct=25 — apply policy to 25% of failed emails (gradual rollout) rua= — where to send aggregate reports ruf= — where to send forensic reports (optional)
DMARC Rollout Strategy
- Month 1: p=none — Monitor and collect reports. Don't take any action yet.
- Month 2: p=quarantine; pct=10 — Apply policy to 10% of failing emails. Watch the reports.
- Month 3: p=quarantine; pct=100 — Full quarantine for failing emails.
- Month 4+: p=reject — Reject all unauthenticated emails. This is the fully enforced state.
Don't jump straight to p=reject. Take 2–4 months to work through the rollout — you may discover legitimate senders that need to be added to your SPF record first.
Step 4: Verify Everything Is Working
After adding all three records and waiting for DNS propagation (up to 48 hours), verify:
- MXToolbox.com: SPF Lookup, DKIM Lookup (enter your selector: "google" for Workspace), DMARC Lookup
- mail-tester.com: Send an email to the address they give you and get a full authentication report
- Google Postmaster Tools: Shows your domain reputation for Gmail recipients over time
- Microsoft SNDS: Shows your sending reputation for Microsoft/Outlook recipients
All three records should show green / passing. If anything fails, debug before sending any cold email volume.
Common Authentication Problems and Fixes
| Problem | Likely Cause | Fix |
|---|---|---|
| SPF: Too many DNS lookups | More than 10 "include:" statements | Use an SPF flattening tool to reduce lookups |
| SPF: Multiple SPF records found | Two TXT records starting with v=spf1 | Delete one, merge all includes into a single record |
| DKIM: Key not found | DNS not propagated or wrong hostname | Wait 24–48h or recheck the hostname format |
| DMARC: Not aligned | SPF/DKIM domain doesn't match From domain | Ensure your From address matches the domain with DKIM |
| Emails still going to spam | Authentication is fine but reputation is poor | See full spam folder guide |
Suplex works with any SMTP provider — Google Workspace, Microsoft 365, or custom SMTP. Once your authentication is configured, you connect your accounts to Suplex and it handles the sending, volume management, and inbox monitoring.
Related: Cold email domain setup guide and email warmup guide.
Understanding DMARC Reports
One of DMARC's most valuable features is the reporting it generates. Once you have DMARC active with a reporting email (rua=mailto:), you'll start receiving XML reports from major email providers showing how your domain's emails are being processed.
These reports show:
- Which IP addresses are sending email claiming to be from your domain
- Whether SPF and DKIM are passing or failing for each sender
- How many emails from each source were processed
- What action was taken (none, quarantine, reject)
Reading raw XML DMARC reports is tedious. Use a DMARC reporting tool to parse them: Dmarcian (free tier available), Postmark's DMARC Digests (free), or Google Postmaster Tools.
The reports are most useful for discovering unauthorized senders. If you see an IP address you don't recognize sending email from your domain, you have an impersonation problem. DMARC reports catch this before it becomes a major issue.
Authentication for Multiple Sending Services
If you send from multiple services — say, Google Workspace for cold email and SendGrid for transactional email — you need to include all of them in your SPF record and set up DKIM for each one.
v=spf1 include:_spf.google.com include:sendgrid.net include:spf.protection.outlook.com ~all DKIM keys needed: - Google Workspace: google._domainkey.yourdomain.com - SendGrid: s1._domainkey.yourdomain.com (custom domain setup in SendGrid) - Each service generates its own DKIM key pair
Common mistake: forgetting to add a service to SPF when you start using it. Every time you connect a new email service, update your SPF record and set up DKIM for that service before sending through it.
Automate Your Cold Email Outreach
Suplex is a desktop app that mines leads, verifies emails, writes AI-personalized messages, and sends — all from one place. Your data stays on your machine.
Find. Target. Close trysuplex.com